adding enhanced csrf protection

app-code/api/account/update_2fa.php

@@ -2,7 +2,11 @@
 include "../utils/security.php";
 secure_session_start();
 require_same_origin_request();
+require_csrf_token();
 header('Content-Type: application/json');
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+	json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
+}
 
 // Check if the user is logged in
 require_logged_in();

app-code/api/account/update_message.php

@@ -2,7 +2,11 @@
 include "../utils/security.php";
 secure_session_start();
 require_same_origin_request();
+require_csrf_token();
 header('Content-Type: application/json');
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+	json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
+}
 
 // Check if the user is logged in
 require_logged_in();

app-code/api/account/update_passkey.php

@@ -6,6 +6,7 @@ header('Content-Type: application/json');
 include "../utils/security.php";
 secure_session_start();
 require_same_origin_request();
+require_csrf_token();
 
 require_once 'WebAuthn.php';
 

app-code/api/account/update_pw.php

@@ -2,7 +2,11 @@
 include "../utils/security.php";
 secure_session_start();
 require_same_origin_request();
+require_csrf_token();
 header('Content-Type: application/json');
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+	json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
+}
 
 // Check if the user is logged in
 require_logged_in();

app-code/api/account/update_user_data.php

@@ -2,6 +2,7 @@
 include "../utils/security.php";
 secure_session_start();
 require_same_origin_request();
+require_csrf_token();
 header('Content-Type: application/json');
 
 // Check if the user is logged in